University of Maryland University College

Final Exam
Question 1 a) If I were to engineer a product that could be used to spy on users, the first thing I would install would be a rootkit. A rootkit is a clandestine kind of software that is designed to conceal that fact that an operating system has been compromised. They ultimately allow viruses and malware to hide from usual methods of detection, and permits continued privileged access to a computer. Rootkits allow for full control over a system, which means that existing software can be modified including detection software. Rootkit detection is difficult because a rootkit is activated before the operating system boots up and is able to subvert the software intended to find it (Vacca, 2013, pp. 53-54). The next step would then be to install spyware and use the rootkit to disguise it as necessary files that anti-spyware software will overlook. Once a user purchases this product and it is connected, off-site agents will be able to start collecting files and data and have the ability to access and control the infected devices.

b) As a technology procurer for an organization, it is very important to do your research on your vendors. The legitimacy of the vendor needs to be verified and their workforce, production lines and supply chains need to be checked to ensure they have appropriate security measures and monitoring in place to safeguard against malicious activity. A security vulnerabilities assessment needs to be done on all new information technologies to ensure it meets the requirements for the organization’s IT security policies. It is important to ensure IT products meet the suitable information technology security policies and requirements of an organization. It is also useful to apply common security configurations to new products. Security configurations checklists are available from the NIST (National Institute of Standards and Technology) website at https://web.nvd.nist.gov/view/ncp/repository. The NIST National Checklist Program Repository for IT Products (NCP) is a public source of security configuration checklists that provide guidelines for configuring a product to a specific operational environment. These checklists need to be tailored to suit a specific IT environment's requirements (Morrison, 2013). It is important that a purchaser goes through all these steps before connecting a new IT product to the organization’s network to prevent risk of the spread of malicious software or exposing the network to hackers and spies.

c) There are a number of ways to lower the risk of intrusions of this kind. It is unrealistic to think an organization’s information system can be 100% secure, but IT managers need to ensure they have security measures and practices to keep the risk at a minimal level. It is very important for the IT security managers and teams to remain vigilant at all times. Daily security procedures need to be in place that includes offensive and defensive strategies. These include the following: * Firewall configurations need to be checked and maintained frequently * Always securely encrypt sensitive data when transmitting over networks * Run and update intrusion detection software such as anti-virus and spyware every day. * Monitor and test networks regularly for suspicion activity * Test security systems and processes regularly * Monitor and track all access to network resources and data * Keep current of new and emerging cyber threats * Maintain a relevant information security policy
Following these procedures on a regular basis can aid in the detection of suspicious activity and hopefully minimize the spread damage in the event of a breach.

d) When it has been discovered that there has been case of intellectual property theft, there are a number of steps that need to be taken. The first thing that needs to be done is to inform management of the breach and then to begin an investigation immediately. One first needs to determine where the data involved resides and establish the scope of the affected project. Data sources that might be relevant to an internal investigation are plentiful, and could include employee laptops or workstations, storage media, personal email accounts and so on. Each source then needs to be isolated from the rest of the network and other unaffected sensitive data and then evaluated for relevance. If an infection such as a virus is suspected, antivirus software can be used to quarantine a file and isolate it from the other files to prevent further damage.

A forensic analysis needs to be conducted that may uncover the source of the data exfiltration. A typical computer forensic analysis could comprise of the following (Karchmer, 2013): * Analysis of removable devices could determine what devices have been first connected and most recently connected to a PC. It can identify files/folders a removable device may have been accessed and when. * Analysis of databases and Internet history artifacts could identify websites that were accessed and when. If unauthorized communications, file transfer or cloud backups are discover, this could aid in guiding the investigation. * Analysis of shortcuts or link files that are generated when a user opens files or folders. These link files contain information about the file source and whether it has been moved or copied. * Analysis of the system registry/.plist files which is a database that stores hardware and software configurations. The registry may contain vital information such as which files were recently accessed after the operating system was installed or which removable devices may have been used recently. * Analysis of cloud backup/sync software. Information regarding recent installation and use of these programs on a computer may be important. An easy way to steal files is to simply sync these files automatically to any device you want.
Once successful investigation has identified the person or organization responsible for the theft, relevant actions need to be taken based on the victim organization’s incident response stipulations in its security policy. Whether an investigation has been successful or not, the organization still needs to review the incident and needs to make adjustments in order to improve security so that the organization can prevent this kind of attack from occurring again.
Question 2 a) In 2001 Microsoft introduced Windows eXPerience, commonly known as Windows XP with the intention that this version of the Windows desktop operating system was to be a new kind of user experience. Windows XP was the most significant upgrade since the Windows 95 operating system. It is built on the Windows 2000 kernel, which is known for its dependability and makes it a stable operating system. Windows XP’s interface was made easier for users to use compared to previous versions of Windows (Windows XP, 2014).

Windows XP has been around for 12 years, which is rather old for an operating system. As of April 8, 2014, Microsoft stopped supporting Windows XP after having done so for 12 years. The reason given by Microsoft is that they cannot continue to support old operating systems and still continue to advance with designing new and improved products. Microsoft further stated that they support their older operating systems considerably longer than the majority of other businesses in the industry with Windows XP being the longest supported operating system in their history (Microsoft, 2014).

Microsoft (2014) stipulated that they would no longer patches any security vulnerabilities found in XP or provides technical support for XP since it ended its support of the operating system. This means that organizations that continue to use XP and do not migrate to a supported operating system are vulnerable to viruses, spyware, malware exploits as well as other malicious attacks, even those with anti-virus software.

b) Performing a desktop migration is a complex undertaking especially within a large organization. The process involves configurations of each computer, inventories of hardware and software, organization, employee and client personal data, desktop settings, software licenses and compliance and so much more. This is a lengthy process and if not done correctly could put an organization at risk in a number of ways. One major risk is the loss of data. Each and every computer in an organization’s network needs to have their data securely backed up and transferred from the old system to the new system or software. If this is not done correctly, there is potential for great damage if sensitive data is permanently lost. Another major risk is mistakenly setting unsuitable desktop settings as well as incorrect hardware or software configurations. It only takes one computer to be configured inappropriately to allow an attacker to infiltrate an organization’s information system and network. For example, if a computer, containing client credit card information, were mistakenly configured to allow unrestricted file access, this would put this information at an incredibly high risk of theft. There is also the risk of the appropriate software not being installed on desktop that may hinder that desktop user from performing his or her job and thus slowing down production. In a large organization going through a migration process with a large number of computers in its network, it is very easy for administrators and technicians to make any one of the above-mentioned mistakes. Incompatibility issues with the new software or operating system is another concern. If the new operating system is installed on one or more of an organization’s computers that is not compatible with the new software or does not comply with the software license, this could inhibit installation or cause certain applications or the computer as a whole not to function properly causing a disruption in company productivity. When a migration is done within a large enterprise, the software package is usually electronically delivered over the organization network. Another issue that might affect company productivity is the fact that a migration to a large operating system could rapidly overload an organization’s network and cause congestion (Radding, 2004). As we can see, if administrators do not have a plan for dealing with the migration process, it could easily turn into a dreadful experience.

c) In 2004, Alan Radding drew up a list of recommended tips that could be utilized by administrators in order to make software and hardware upgrades easier. I have adapted some of these suggestions into a list of steps that can be used to address the threats and vulnerabilities an organization may face during a software migration: * Identify and securely capture or back up the existing configurations of each computer that will be migrated. * Taking inventory of the hardware and software on each device. * Identify and securely capture or back up users’ and organizational data and desktop settings which should be automatically restored * Facilitate software license management to ensure compliance and compatibility * Manage bandwidth in order to create balance during migration to avoid network saturation * Test the migration package before introducing it to the organization network. * Implement vulnerability assessments * Implement patch management * Ensure all captured configurations and data are correctly restored. Performing these tasks could greatly lower an organization’s risk during the migration process and help facilitate a smooth transition.

d) Having a careful-crafted, detailed and comprehensive migration plan not only helps reduce the risk to an organization during the migration process, it also aids in shortening the duration of a migration and is an important step needed to create a long term solution for facilitating and securing migrations. The migration plan should be well defined, scalable and repeatable and should be adaptable to any future migrations. An inventory template should be used for data capturing, software packaging, software and hardware configurations and user settings. The inventory should also include a record of the interconnections as well as a description of how the new operating system and applications will interact with other systems and applications.

The next step would be to automate as many administrative tasks as possible. There are a number of vendors, such as Symantec Corp., Tranxition Corp., BindView Corp, Altiris Inc. and Computer Associates International Inc. that offer various desktop management and migration automation suites and products that handle tasks such as sensitive data migration or vulnerability assessment. When looking for a desktop management and migration automation package, it should deliver nearly all, if not all, of the following capabilities (Radding, 2004): * Electronic software delivery over the network. * Software packaging and software image creation. * Capture and transfer user profile, settings and data. * Asset management. * Inventory. * Configuration. * License compliance. * Patch management. * Vulnerability assessment.
Using migration tools eliminates the need to manual migrate each and every computer in an organization’s network which can be a lengthy process especially within large organizations. It also minimizes the room for human error and in turn lowers security risks. IT managers also need to then ensure that well-trained technicians must perform all of the tasks the automation tool does not cover. Even while utilizing automation tools, administrators must remain vigilant during migrations.
The migration plan should also include the management of bandwidth in order to create balance during migration to avoid network saturation. For example, migration could be done at night when employees are not at work in order to avoid congestion. An alternative solution would be to have migration restricted to a portion of the bandwidth.
Lastly, once a migration package is created which includes the new operating system or application, it is imperative that is be thoroughly tested before it is introduced to the organization network.

Overall the migration plan needs to be continually reviewed and tested as well. Technology is changing all the time and therefore the migration plan needs to be constantly updated in order to remain relevant and longstanding.

Question 3 a) Research shows that it is highly possible that airline flights could be vulnerable to hackers. In the past, aircrafts systems were controlled through physical hydraulic-mechanical connections but today, newer aircrafts, like the Boeing 777, are now relying on integrated networked computers to send electronic signals to engines, flaps, and other important flight systems. These computer networks may enable potential exploitation of security vulnerabilities that could cause accidental or deliberate damage or disruption to data and systems, which in turn could jeopardize the safety of the aircraft and the people onboard.

One way in which a hacker could enter to an airliner’s computer network is through the inflight onboard entertainment system using a mobile phone. When an airplane is in flight, a technically savvy hacker could use a mobile phone signal to gain access through the onboard entertainment system and could then insert a set of malicious commands and codes that may initiate a set of processes, says Sally Leivesley, a former antiterrorism adviser to the British government (Clayton, 2014).

b) Since around 2008 commercial airlines started to introduce Wi-Fi capabilities on flights as a business strategy to bring in more customers. This new feature allows passengers the ability to check emails and surf the Internet. The main issue with this is data security. The wireless connections in airport and on flight are unencrypted which means that individual connected to these networks are at risk of having their data hijacked or stolen. David King, chief executive for AirTight Networks, an India-based manufacturer of wireless intrusion protection hardware and software, sends out hackers to conduct unsolicited security assessments. In 2008 his employees collect wireless security data at 20 U.S. airports and 8 airports in Asia. They found a proliferating amount of fake Wi-Fi hot spots established by phishers as well as a number of open or unprotected networks run by critical operations such as baggage handling and ticketing (Buley, 2008). The same issues persist with in-flight Wi-Fi connections. This is extremely risky as it allows data such as user names and passwords to pass through the network unencrypted. Anyone sniffing these connections could very easily get a hold of an innocent passenger’s sensitive data.

c) Air traffic control (ATC) systems and Supervisory control and data acquisition (SCADA) systems have completely unrelated functions and purposes. However, both these systems are used for highly critical functions. ATC computer systems are crucial to the safe and efficient travel of aircraft as they are used to relay important information to controllers and flight crews (Aviation Security, 2000). SCADA systems are used to monitor and control a plant or equipment in telecommunications, water, wastewater control, energy, oil, and gas refining and transportation industries (Vacca, 2013). Insufficiently securing either of these systems and the physical location in which they are housed could potentially cause countrywide disruption, damage or even result in the loss of human lives. Physical security of ATC and SCADA facilities is crucial. If, for example, an unauthorized employee or attacker gained access to sensitive areas, intentional or unintentional actions could result in a disaster. Secondly, ATC and SCADA operational systems need to have sufficient and appropriate security safeguards in place. Vulnerabilities that are found in either system are a potential threat to public safety. Lastly, it is also imperative that management of ATC and SCADA systems ensure that they have an up-to-date computer security policy in place and that it is being successfully executed and applied. From this viewpoint, it can be said that any information system handling critical information and functions have common security concerns and following the computer security practices mentioned is essential to securing these systems.

d) For a long time, the use of mobile devices on flights has been prohibited. The reason for this has been that mobile devices can cause interference with the aircraft’s onboard electronics and aircraft systems such as navigation systems or antenna receivers for example. Recently more and more airlines are contemplating, and some already have, whether to allow passengers to use handheld devices during flights. Allowing the use of electronic devices brings up two concerns. One issue being the security of the electronics in the mobiles devices and the other issue being the likelihood of travellers engaging in disturbing or disruptive voice calls while in the air. In a study conducted in 2013 that examined NASA's Aviation Safety Reporting System incident records, it was discovered that interference with aircraft electronics has not proven to be a major issue. Lately, however, there have been at least 13 instances in which handheld devices have malfunctioned or overheated resulting in smoke, fire or fumes in the cabin. Another issue, although perhaps not a great problem right now could be the use of mobile devices to hack into aircraft computer systems as discussed earlier. One countermeasure that has been employed by airlines is to allow devices to be used during a flight only when in flight or airplane modes, this prevents them from seeking to connect to cellular networks and causing interference. Another countermeasure that has been suggested by safety regulators is having airlines set up with onboard cellular base stations. However, these installations need to go through extensive analysis, tests to ensure that they do not interfere with the aircraft systems. Thus far, authorities have attested to no confirmed incidences of mobile devices affecting the safety of an aircraft with on-board base stations and that the probability of interference is very low (Butterworth-Hayes, 2014).

Question 4 1) Apple (2014) published a security white paper a few months ago that lays out a detailed explanation of how the IPhone’s encryption technologies work. IPhone 6 uses iOS 8, the latest Apple operating system. Apple claims that the new platform was designed with security as a major feature. The new operating system has encryption and data protection capabilities in place to protect an individual’s data, even when the security infrastructure’s other parts have been jeopardized.
There are a number of parts involved in the iPhone encryption system.

Apple (2014) goes on to define Data Protection as a technology used in their devices to protect and encrypt data stored in flash memory on the iPhone. Data Protection is implemented for incoming phone calls and also enables a highly secure form of encryption for user data stored and transmitted in system applications to include Messages, Mail, Calendar, Contacts, Photos and Health data. Data Protection is also automatically applied to third-party apps installed on the operating system. Data Protection is executed by creating and managing a hierarchy of cryptographic keys, and works together with the hardware encryption technologies in each iOS device. Data Protection is controlled on a per-file basis by assigning each file to a class. How a file can be accessed is determined by whether the class and the policies applicable to that class.

There is also the encryption technology on the hardware level of the iPhone. First, there is the Secure Enclave. According to the International Business Times (2014), this is a coprocessor constructed in the Apple A7 and later A-series processor. It has its own secure boot and tailored software update distinct from the application processor. It controls all the cryptographic operations for Data Protection key management and preserves the integrity of Data Protection even if the core-processing unit has been infected.

To summarize Apple’s (2014) very detailed description on hardware encryption technologies: Each iPhone 6 has an AES (Advanced Encryption Standard) 256 crypto integrated into the DMA (Direct Memory Access) path between the flash storage and primary system memory. The device’s unique Identifier (UID) and a device group Identifier (GID) are AES 256-bit keys combined (UID) or compiled (GID) into the application processor and Secure Enclave during manufacturing. These keys cannot be read directly by any software or firmware. Encryption and decryption is performed by dedicated AES engines implemented in silicon using the UID or GID as a key. Furthermore, the AES engine dedicated to the Secure Enclave can only use that specific Secure Enclave’s UID and GID. Each iPhone has it’s own unique UIDs which are isolated from other IDs on the device and is not documented by Apple or any of its suppliers. The UID binds data to a specific device cryptographically. The GIDs are utilized for simple tasks such as system software installation and restoration and all processors in a class of devices use the same GIDs. These keys are also built into the silicon, which prevents them from being corrupted or read beyond the AES engine’s confines.

The system’s random number generator (RNG) is use to generate the rest of the cryptographic keys, aside from the UID and GID. Data Protection generates a new 256-bit “per-file” key every time a file on the data partition is created. It then gives the key to the hardware AES engine, which uses the key to encrypt the file using AES CBC (Cipher Block Chaining) mode as it is written to flash memory. The per-file key is wrapped using NIST AES key wrapping with one of several class keys, contingent on the conditions under which the file should be accessible. The wrapped per-file key is stored in the file’s metadata.

Apple (2014) goes further to explain that when the iOS is first installed or when a user wipes the device, a random key is generated and used to encrypt the metadata of all files in the file system. This file system key is stored in Effaceable Storage on the device. When a file is opened, the file system key is use to decrypt its metadata to expose the wrapped per-file key and a notation on which class protects it. The per-file key is unwrapped with the class key, then passed to the hardware AES engine, which decrypts the file as it is read from flash memory. The file system key is can be quickly erased by a user or an administrator. Deleting the key leaves all files cryptographically inaccessible. Therefore we can see that there is an encryption hierarchy that exists. A file is encrypted with a per-file key, which in turn is wrapped with a class key and stowed in a file’s metadata; the metadata is then encrypted with the file system key. The class key is protected with the hardware UID and sometimes the user’s passcode.

Finally, Apple (2014) gives a detailed account on how Data Protection is automatically enabled when a user sets up a four-digit or arbitrary-length alphanumeric device passcode. The passcode unlocks the phone and start the RNG to generate particular encryption keys. This means that an attacker needs this passcode in order to access the data on the device. To further add to the complexity of this system, the passcode is intertwined with the device’s UID and thus can only be cracked using brute-force methods. This could take at least 5½ years to attempt all combinations of a six-character alphanumeric passcode with lowercase letters and numbers and the stronger the user passcode, the stronger the encryption key. The iOS escalates time delays each time a wrong password is entered to add more of a deterrent for brute-force attacks. Users can also set their phones to be automatically wiped if the wrong passcode is entered 10 consecutive times.

2) From a technological standpoint, iPhone encryption is a great feature to have available to the general public and that individuals who are not particularly technically savvy can still feel safe and protected with this new feature. I do understand the concern the FBI and NSA have with regards to the criminals and terrorists using the iPhone 6 as a means to sidestep the law or not having the ability to decode the contents the phone during a kidnapping investigation, for example. I believe these are very serious and legitimate concerns and should be addressed. This does not mean that Apple needs to remove iPhone’ encryption capabilities in their entirety but perhaps it might be possible and reexamine some of the features and make adjustments which can address these law enforcement concerns. For example, the Apple Pay encryption system is a great feature to have and may not have much effect on law enforcement and could probably remain a security feature on the phone. iMessage and FaceTime encryption, on the other hand, may be an area for concern. I personally, think that a feature such as this one, which could very well be used to hide criminal communication, perhaps needs to be revisited. One needs to seriously consider the pros and cons and decide whether they’d prefer the peace of mind knowing their messages are not being spied on but at the risk of terrorists having more avenues open to them that could aid in a potential terrorist attack.

3) Well, there is a lot of debate surround the collection of data. There are definite benefits to government and law enforcement agencies having the ability to access data. Having the ability to monitor suspicious activity or using this data as aid in research for future developments are some examples of these benefits. At the same time, we, as the general public, have no idea what else governments may be using this information for and this tends to make us uncomfortable.

To avid technology users it may seem as if it is a well-known fact that data collecting occurs, however, there is still a large portion of the world’s population who are ignorant of the risks they take when sending personal and private information using modern-day technology. Increasing public awareness, warning and educating individuals on the risks of using modern technology as well as educating them on the various security options that are available to them is key. Equipped this knowledge it should then be left up to an individual to decide what measure of risk they are willing to take. Furthermore, if an individual prefers to keep their information private, they have the option to pay for a more secure email service, for example.

4) When weighing the pros and cons of a security measure one of the things you have to consider whether the benefit justifies the cost of the security measure. In this case, working in a cybersecurity position most likely requires that sensitive security information be transmitted through email. This would make this email account an attractive target to cyber criminals looking to gain valuable information that could assist them in planning an attack on the organization I would hypothetically be working for. In my opinion, since the risk is fairly high and the cost of $40 a month is fairly low, I would make the investment and go with the more secure email service.

5) The answer in a nutshell: It’s good for business. Doing what’s benefit your consumers is beneficial for your business. By addressing consumer privacy needs, Apple understands that by doing so will build trust and strengthen consumer relationships with their companies and products in the long term. Apple has clearly done extensive research with regards to the public’s concern with privacy in the post-Snowden era and has used this information as a great marketing tool. It is not only consumers who are affected by addressing privacy issues but investors are also paying close attention to whether companies are employing privacy measures in their products. In 2011, research showed that there was a 60% correlation between how much trust consumers had in a brand and how much they are will to spend on a product from that brand (Ozer, & Conley, 2012). Alternatively, not meeting consumer privacy needs can cause potential loss of business, loss of investors and mistrust in the company.

References: * Apple Inc. (2014). iOS Security Guide, October 2014, iOS 8.1 or later. Retrieved from https://www.apple.com/business/docs/iOS_Security_Guide_Oct_2014.pdf

* Buley, T. (2008). Phishing at Gate B22. Forbes Asia, 182(12), 52-54. Retrieved from http://www.forbes.com/global/2008/1208/084.html

* Butterworth-Hayes, P. (2014). Next step in electronic freedom on planes. Aerospace America, 52(1), 4-6. Retrieved from http://www.aerospaceamerica.org/Documents/AerospaceAmerica%20PDFs%20-%202014/January%202014/AeroAmerica_JAN2014.pdf

* Clayton, M. (2014). Malaysia Airlines Flight MH370: Are planes vulnerable to cyber-attack?. Christian Science Monitor. p. N.PAG.
Retrieved from http://www.csmonitor.com/World/Security-Watch/Cyber-Conflict-Monitor/2014/0324/Malaysia-Airlines-Flight-MH370-Are-planes-vulnerable-to-cyber-attack-video

* Dillingham, G. (2000). Aviation Security: Vulnerabilities Still Exist in the Aviation Security System. GAO Reports. Retrieved from http://www.gao.gov/assets/110/108370.pdf * International Business Times. (2014, March 4). Apple iPhone 6 Released Update: Security Features Based on the iPhone 5s, Secure Enclave and More. International Business Times. Retrieved from http://eds.b.ebscohost.com.ezproxy.umuc.edu/eds/detail/detail?sid=91155c99-edef-4cec-b5f4-8d241073f1f6%40sessionmgr110&vid=4&hid=114&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=bwh&AN=541727.20140304 * Karchmer, J. (2013, June). Responding To Alleged Intellectual Property Theft: Mitigating Business Risk With Computer Forensics. The Metropolitan Corporate Counsel. Retrieved from http://www.metrocorpcounsel.com/pdf/2013/June/12.pdf * Microsoft. (2014). Windows XP support has ended. Retrieved from http://windows.microsoft.com/en-us/windows/end-support-help

* Morrison, M. I. (2013). The Acquisition supply chain and the security of Government Information Purchases. Public Contract Law Journal, 42(4), 749-792. Retrieved from http://eds.b.ebscohost.com.ezproxy.umuc.edu/eds/detail/detail?sid=ff93b502-99e6-48a4-a489-2119ab70ed36%40sessionmgr198&vid=12&hid=114&bdata=JnNpdGU9ZWRzLWxpdmUmc2NvcGU9c2l0ZQ%3d%3d#db=a9h&AN=90233842

* Ozer, N., & Conley, C. (2012). Privacy & Free Speech: It's Good for Business (2nd ed.). Retrieved from http://aclunc-tech.org/primer/

* Radding, A. (2004). Roll with the changes. Federal Computer Week, 18(37), 34-36. Retrieved from http://fcw.com/articles/2004/10/18/roll-with-the-changes.aspx

* Vacca, J. (2013). Computer and information security (2nd ed.). Waltham, MA: Morgan Kaufmann

* Windows XP. (2014). Retrieved from: http://www.techterms.com/definition/windowsxp

Dear Anthea,
Great job! Thanks for turning it on time. You did not have to set justification to full to write less. I believe you have enough details and good answers to do so. Overall great job!